Most firewalls/VPN appliances today allow you to select one of the various tunneling technologies available. The most popular are IPSEC and PPTP, although I've heard good things about OpenVPN. Is there any benefit to OpenVPN over the other two? Am I better off using IPSEC or PPTP?

This question exists because it has historical significance, but it is not considered a good, on-topic question for this site, so please do not use it as evidence that you can ask similar questions here. This question and its answers are frozen and cannot be changed. More info: help center.

Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise.
If this question can be reworded to fit the rules in the help center, please edit the question.

4 Answers
4

Frankly any VPN which doesn't require a custom client is a good one. As it's a SOHO environment I assume that you don't have a requirement to authenticate against some back end user/password system like AD or LDAP.

PPTP has been in Windows for a long time as it's a Microsoft technology, but pretty much every OS now supports it. In the past it's had flaws, but has matured well. PPTP does not require an X509 certificate (although if you're using EAP it does)

IPSEC is a more open standard and is commonly used to protect server to server communications because it works on layer 3 and so is transparent to applications. Authentication is either via a preshared key or via certificates.

There's no real answer here. They're all much of a muchness these days. If you want multiple users connecting and want to audit then PPTP provides usernames and passwords, IPSEC doesn't - you can only change the preshared key to stop people authenticating and that affects everyone. Certificates aren't really doable for SOHO environments in my opinion.

I speak from experience in saying OpenVPN is much easier to set up and deploy than IPSec and its cousins. It's also much more flexible than Hamachi.

OpenVPN is definitely secure. It uses SSL to negotiate the connection and Blowfish (or AES if you prefer) to secure the connection. The algorithms have been in the public domain for many years and been subject to severe cryptanalysis. The PPTP flavor of IPSec is not really secure anymore. Hamachi has good security.

Your OpenVPN implementation is completely under your control. You can't say the same about Hamachi, which goes through LogMeIn's servers. You can't be sure of what Hamachi or the IPSec clients are really doing, because they are closed-source and proprietary systems. You also don't get the degree of configurability with those that you get with OpenVPN.

Don't misunderstand my opinion of Hamachi. It's a great product. I just don't think it's necessarily the best for the purpose.

Well, depending on your existing infrastructure, I would have two recommendations:

PPTP built-in to Windows if you have a server that everyone would connect to. Most routers and other things tolerate it pretty well these days. Even DD-WRT supports it in both client and server modes... And out of the box support for windows clients is always a bonus.

Hamachi - a free p2p style VPN that generally "just works". I don't have a ton of experience using it, but having helped several people who do for SOHO type environments, it seems to fit the bill perfectly.